This is on a new server running Debian Wheezy but should apply roughly on all UNIXoid systems.

Setting up a service with runit is quite simple, but a bit different to traditional (self-backgrounding) services: There is a run script that performs all necessary setup, and then execs the actual program. This is necessary to keep the same PID so the stop/restart functions work properly. Additionally, the service itself must not fork; it should just keep running. Optionally, stdout is piped into a dependent log service. Should either ever crash or exit, they will be restarted automatically.

The multi-user support in tmux is a bit weak, and it lacks any way to synchronously wait for the session to end without attaching to it. I settled on using screen instead– since they (by default) use different shortcuts it is quite convenient to attach to a screen session within my normal tmux.

The default Debian irc user has a home directory /var/run/ircd which does not exist unless ircd is installed (which I don’t need), so just symlink this:

One day after the Kongress I finally finished my VPN setup. The problem with most “standard” VPN setups (including mine when I went to Hamburg) is that they are IPv4 only, leaving your IPv6 traffic unencrypted unless you block it completely. OpenVPN finally supports IPv6 over TUN devices as of 2.3.0.

I have a cheap VPS from Netcup. Since they moved to KVM installing any OS is relatively easy, for this machine I chose OpenBSD. The setup should be similar on FreeBSD and DragonFly since they also have PF, although their PF version may be older and the syntax therefore slightly different.

Netcup provide one IPv6 /64, but setting up IPv6 for OpenVPN requires a separate network block for the upstream internet connection and the VPN. One option is buying another /64, but this is relatively expensive (given the whole VPS is less than 10EUR/month) and requires a fax. Instead I used a SiXXS tunnel where IPv6 addresses are free. IPv6 traffic for the VPS itself uses the native IPv6.

Prerequisites

a Netcup VPS with OpenBSD (5.4 or higher, otherwise OpenVPN is too old) and working networking

a client (tested with Debian Wheezy)

SiXXS setup

If you do not already have a SixXS account, sign up and request a tunnel and extra subnet. Let the subnet be routed to the tunnel. Note if you’re signing up new, your tunnel may need to be up for a while so you have sufficient ISK to request a subnet.

Set the tunnel to 6in4-static and enter the IPv4 address of your server. Set the MTU to 1480, 6in4 has less overhead than the other methods. On the server, add /etc/hostname.gif0:

set block-policy return
set skip on lo
# NAT for IPv4 VPN
match out on egress from 10.8.0.0/16 to any nat-to egress:0
# default rules
block in
pass out
# normal traffic rules
block in on egress
# allow SSH
pass in on egress proto tcp from any to (egress) port 22
pass in proto icmp
pass in proto icmp6
pass in on vpn
# OpenVPN
pass in on egress proto { tcp udp } from any to (egress) port 1194
# IPv6 routing for VPN
pass in on vpn from <your SixXS IPv6 block> to ! (egress) route-to (gif0 <PoP IPv6>)
# allow incoming tunnel traffic
pass in on egress proto 41 from <PoP IPv4> to (egress)

Adjust the last lines to your SixXS blocks. It makes sure that IPv6 traffic from the VPN is routed out through SixXS. Incoming traffic is not allowed, if you want this add a line like

pass in on gif0 from any to <your IPv6 block> <further limits> route-to (tun0 <Your IPv6>)

(untested). Incoming Proto41 traffic on the other hand is explicitly allowed, otherwise the packets never make it to the gif interface unless there has been outgoing traffic recently which created an entry in the state table.

Load the firewall configuration with

# pfctl -f /etc/pf.conf

and bring the VPN up with

# sh /etc/netstart tun0

You should now be able to connect to it. The client configuration is nothing special:

When booting from the installer CD you will get errors like uid 0 on /: file system full clogging up the screen right after the disk setup. Press ctrl+Z to get to the shell, then

mv /tmp/* /mnt/tmp
rm -r /tmp
ln -s /mnt/tmp /tmp
fg

This has to be done after the disk setup so the filesystems are already created and mounted.

and installation will continue. Choose http as install source and enter the server name mirror1.us.bitrig.org. It complained about the SHA256 sums of the downloaded files not matching what is expected, but it worked anyway.

EDIT: Snapshots seem to be gone, can’t find any currently. Dunno what’s up with that…

I have a server running DragonFly that I wanted to use as a VPN endpoint so I no longer have to rely on third-party VPNs jsut to get out of an insecure WiFi. These instructions, as they stand, will probably only work on Dragonfly (NAT syntax changed in OpenBSD recently; DragonFly uses pf from OpenBSD 4.4, FreeBSD 9 uses pf from OpenBSD 4.5).

The first step was getting pf up and running. All in all, the following ruleset worked for me:

This already includes the rules to make the two VPNs work later on. Also, this ruleset it very lenient when it comes to both outgoing traffic and ICMP – everything is allowed there. I may or may not restrict this further in the future, but for now I mostly needed the NAT capabilities of pf. For some reason I needed to specify IPv4 and IPv6 rules separately, otherwise I’d get no IPv6 traffic out and lists didn’t work either. Also, DragonFly’s pf seems to have no state as default.

To activate pf, set

pf="YES"

in /etc/rc.conf and load it with

sudo /etc/rc.d/pf start

When changing the ruleset, update it with

sudo /etc/rc.d/pf reload

To get the server to actually do routing, set the sysctl net.inet.ip.forwarding=1 both in /etc/sysctl.conf (so it is persistent) and (to avoid rebooting) directly:

sudo sysctl net.inet.ip.forwarding=1

Next up is configuring the VPNs. I decided to create two separate networks, one being NATed through the server to the outside world, one just for connecting to services I don’t want to expose publicly on the server (or possibly in the future, other VPN clients).

First, install OpenVPN:

cd /usr/pkgsrc/net/openvpn; bmake install clean

assuming you have pkgsrc already set up. Copy /usr/pkg/share/examples/rc.d/openvpn to /usr/pkg/etc/rc.d and set openvpn_enable=”YES” in rc.conf.

Create the OpenVPN keys using easy-rsa. Copy /usr/pkg/share/openvpn/easy-rsa somewhere else, edit vars in that copy to your liking, then run

there to create a server and a client certificate. Also generate a TLS Auth key with
openvpn –genkey –secret ta.key
and copy the dh????.pem, _.crt_, _ca.crt_ and _ta.key_ to _/usr/pkg/etc/openvpn_. If your client is a Mac with [Tunnelblick](http://code.google.com/p/tunnelblick/), copy the client certificate, client key, _ta.key_ and _ca.crt_ into a folder called _.tblk_ along with this configuration file (call it _config.ovpn_):

The server-side side configuration goes into /usr/pkg/etc/openvpn/server.conf and contains:

local <server IP> #this is optional
port 1194
proto udp
dev tun0
ca ca.crt
cert <server name>.crt
key <server name>.key
dh dh2048.pem
;dh dh1024.pem # if you went for 1024 bit RSA
# this is the client IP range
# note that this is the same as the 'nat' line in pf.conf
server 10.8.42.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# push default gateway to clients,
# telling them to redirect all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
# push a good DNS server too
# if you don't the local, un-VPNed one might still be in use
push "dhcp-option DNS 8.8.8.8"
# we want clients to see each other
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

Start OpenVPN with sudo /usr/pkg/etc/rc.d/openvpn start and you should be able to connect to the internet through the VPN (after you installed the client configuration of course).

The configuration for the second VPN is very simple – just change the port to 1195 in both client and server config (create copies), and in the server configuration file replace

# push default gateway to clients,
# telling them to redirect all traffic through the VPN
push "redirect-gateway def1 bypass-dhcp"
# push a good DNS server too
# if you don't the local, un-VPNed one might still be in use
push "dhcp-option DNS 8.8.8.8"

so the clients know that everything in 10.8.0.0/16 should go through the VPN. With this VPN you can connect to services bound e.g. to 10.8.42.1 on the server which you don’t want to be reachable for outsiders.